Follow us on

A view from the crow’s nest

by Simon Longstaff
01 June 1998

One of the products of the 1980s was a joke that went something like this:

Question: What have you got with eight Australian entrepreneurs up to their necks in sand?

Answer: Not enough sand!

I mention this because the fact that this joke was popular in places as far away as the New York Stock Exchange tells us something about the way in which a considerable amount of business was done, in Australia, during the last decade.

Alas, the Alan Bonds and Christopher Skases of the world (Bond is in gaol in Western Australia, Skase is still hiding, from the Australian authorities, in Spain) could not have indulged their own particular craving for excess unless they had enjoyed the steady patronage of a number of financial institutions. Indeed, a number of Australia's leading banks were severely embarrassed by the losses incurred through imprudent lending. However, they have, for the most part, restored their dignity and balance sheets (if not their popularity). Yet, as some of you may recall, not all of the financial institutions survived their own brand of folly during this period. Let me outline just one powerful example.

The State Bank of Victoria – a government-owned bank – owned a subsidiary merchant bank called Tricontinental. When Tricontinental suffered an AUD2.5 billion dollar collapse, the State Government of Victoria ordered a Royal Commission to investigate the circumstances of the bank's failure. Tricontinental was not the only catastrophe to emerge from the 1980s – but it was one of the worst. As Joe Nagy argues, in his book In Over Our Heads: Lessons from the excesses of the '80s:

"It serves as a textbook case: for directors, who should have been aware that Trico was not being managed the way a financial institution should be managed; for auditors, who should have been aware of administrative and control deficiencies; and for governments, who should have avoided getting involved in a high risk business which they knew little about. For a time, it was the nation's largest and fastest-growing merchant bank, a feat remarkably accomplished with the skimpiest internal controls. Incredibly, its parent, the State Bank of Victoria, did not conduct any internal audits."

The Managing Director of the State Bank of Victoria was Bill Moyle. He also served as a Director on the Board of Tricontinental. Whatever he may have thought in private, all of his public comments were supportive of Tricontinental and its CEO, Ian Johns. Yet in May 1989, the bank 'self destructed'. Again as Joe Nagy argues:

"That this happened should not have come as a surprise to anyone who understood the lending business. What was astonishing was that an experienced banker like Moyle and a reputable accounting firm like Peat Marwick failed to detect the warning signs and take appropriate action. Later, there would be no shortage of admonition . . . It subsequently came to light that loans were quickly approved on rubber-stamp credit analysis procedures, even though the borrower was, in some cases, in default. Corporate governance was another weakness. Confusion existed whether Ian Johns, Tricontinental's Managing Director, was reporting to his board chairman or to Moyle."

The Woodward Royal Commission appointed to investigate the collapse, came to a similar conclusion. In relation to the board it found that:

"The board deliberately accepted high risk in the pursuit of high reward. The theory was that the high risk would be confined within acceptable limits by skilled managers and staff, and by appropriate supervision by the board. In the event, the performance by both management and board was less than adequate for the strategy which the board had endorsed."

Indeed, the report finds that the Managing Director of Trico treated the board as a group of men to be “placated and manipulated”.

Major ethical failures are not usually caused by greedy or dishonest people. Instead, the vast majority of these failures are produced by the actions of inadequate or incompetent managers and directors.

It is worth quoting one other of the Royal Commission's findings before moving on. Unlike the case of Nick Lesson, at Barings, most of the losses suffered by Tricontinental were not the product of deliberately dishonest behaviour by the leading figure, Ian Johns. The Royal Commission found that:

"All those decisions of Mr Johns which directly brought about the huge losses suffered by Tricon were made by Mr Johns in the belief that they were in the best interests of the group. He backed his judgement without consulting others; he made reckless decisions on inadequate information; he put his faith in many apparently successful businessmen who proved unworthy of his confidence; and when they seemed to be failing him he was unwilling to admit the possibility of losses. These were the faults of an over-confident gambler, not a criminal."

This is an extremely important point. Major ethical failures are not usually caused by greedy or dishonest people. Instead, the vast majority of these failures are produced by the actions of inadequate or incompetent managers and directors.

I have spent quite a bit of time airing some of the Australian banking system's old 'dirty laundry'. I have done so because I believe that the Australian experience holds lessons for others who might wish to avoid our errors. As the maxim says: “those who do not learn from the past are condemned to repeat it”. So what are the lessons?

Well, the first of these is that the whole issue of corporate governance needs some very careful examination.

Understanding corporate governance

Ask a dozen people to define 'corporate governance' and you are likely to obtain as many different answers. For some, the term refers to a set of formal arrangements that define and shape the institutional framework within which the activities of a corporation are directed. I will call this the 'structural' approach. On this view, the most important issues to be addressed include:

  • Has the board been appropriately structured with the proper mix of executive and non-executive directors?

  • Has the board effectively operated the recommended range of standing committees – especially, an executive committee, a remuneration committee and an audit committee?

  • Has the audit committee had independent access to the external and internal auditors?

  • Have the minutes of standing committees been circulated to all directors in a timely manner?

  • Have potential and real conflicts of interest been properly disclosed?

  • Have conflicts of interest been properly addressed?

  • Have all other forms of disclosure, in relation to matters such as related party transactions, been made in the appropriate form and manner?

  • Have directors been diligent in attending meetings?

  • Have appropriate policies and delegations been put in place by the board?

  • Has the board ensured that its statutory reporting obligations have been satisfied?

Many individuals and groups will accept conformance to criteria, such as those listed above, as being the benchmark against which best practice can be assessed. Indeed, even to achieve this degree of good governance can be rewarding. To give you a sense of this, let me quote one of McKinseys' 1997 research findings:

"We surveyed 50 money managers representing $850 billion in assets, and found that they were willing to pay an 11% good-governance premium on average."

As you might imagine, this is the kind of finding likely to make directors sit up and pay attention. However, it is my view that the 'structural' approach to corporate governance is profoundly mistaken. Indeed, I think that its adoption is likely to lead to failures of the kind experienced at Tricontinental. There is no better place to start a discussion of this point than in the observation that good corporate governance must be driven by a commitment to increasing the quality of corporate performance – as measured right across the corporation. One of the most compelling arguments for this stems from the work of the former Dean of the Australian Graduate School of Management, Professor Fred Hilmer. In a significant passage from Strictly Boardroom, Hilmer writes:

"The board's key role is to ensure that corporate management is continuously and effectively striving for above-average performance, taking account of risk. This is not to deny the board's additional role with respect to shareholder protection."

There are a few points that need to be drawn from his comment. The first is that many directors have taken the increase in the level of their personal liability as an unassailable reason for ensuring that the companies they direct comply with the laws and regulations governing their operation. If an increase in personal liability was meant to concentrate the minds of directors on their duties, then it has succeeded admirably.

However, this achievement has been at a cost – namely, a damaging tendency for boards to focus on conformance – often at the expense of performance. To be blunt, there are some directors who consider that their first duty is to protect their own position and only after that will they look to improving the performance of the company.

Unfortunately, for them, the rise of shareholder activism has put such people between the proverbial rock and a hard place. Institutional investors, in particular, have little interest in the fine details of directors' liability. They want performance and where it is lacking, are more than ever prepared to remedy the situation by voting for the removal of directors.

Corporate governance is really about the way in which a board, through its development of policy and its own example, defines the breadth and nature of relationships that will shape the conduct of the company. As such, boards need to go behind structure and get a feeling for the soul or spirit of the organisation. This is not some abstract requirement or an ‘optional extra’. Boards that fail to do so, expose themselves (and the company's stakeholders) to additional costs. But they also take unnecessary risks.

In relation to this, it is worth recalling Professor Hilmer's point that directors should be encouraging above-average performance, taking account of risk. It was the failure to take account of risk that brought down Tricontinental, and it is this failure that puts so many other institutions in harms way. This is especially so for financial institutions that must deal with a complex mix of risk including: currency risk, market risk, credit risk, and so on. It is difficult to imagine that the prudent management of risk has ever been more challenging than it is today. A combination of factors including: globalisation, powerful and evolving technology, changing social patterns and the like, all contribute to an environment characterised by rapid, profound and constant change.

All of which suggests that company directors are going to require some extremely professional assistance if they are ever going to achieve, effectively, the delicate task of balancing the tasks of driving performance while managing risk. Which is why the role of internal audit is of such significance.

The role of the internal auditor

As a practicing company director who sits on the board of a medium-sized Australian financial institution, I can honestly say that I place considerable reliance on the work of our audit committee and the continuing work of the company's internal auditor. There are a number of 'givens' – issues that no responsible person could, in my opinion, possible disagree with. They are extremely obvious but, for the sake of completeness, I will list them:

  • Every board should aim to have a properly functioning audit committee

  • The audit committee should be chaired by a non-executive director (as a minimum) and ideally, should be entirely composed of non-executive directors

  • The audit committee should meet regularly

  • The audit committee should have direct access to the external and internal auditors (and vice versa)

  • The audit committee should give initial approval to both the external and internal audit plans – both of which should be submitted to the full board for approval

  • The audit committee should ensure that the internal auditor is given sufficient delegated authority to discharge the full range of duties and functions set out in the relevant international standard(s)

  • The audit committee and internal auditor should oversee the operations of all subsidiaries and joint ventures (where the level of risk or control warrants this)

  • The internal auditor should be known to all directors and should report to the full board from time to time

As noted above, these requirements should be self-evident. At any rate they are the minimum requirements that one would expect to find in any organisation that is serious about achieving best practice.

Beyond this, some of you may be familiar with a new Australian Standard, AS 3806 – 1998, published by Standards Australia on 5 February 1998. The fact that this is an Australian Standard should not confer it with any particular status (good or bad). However, given its recent development and the fact that many advances in corporate governance, in Australia, come to be adopted in other parts of the world (including the USA), there may be some benefit in considering the approach adopted in the Standard. In passing, it should be noted that both the newly formed Association for Compliance Professionals of Australia and the Institute of Internal Auditors were represented on the committee that prepared the Standard.

There is a wealth of relevant information included in the standard. However, let me highlight just a few parts that might be of interest. First, the purpose of the Standard which reads:

The purpose of this Standard is to provide a framework for an effective compliance program, the performance of which can be monitored and assessed.

A compliance program is an important element in the corporate governance and due diligence of an organisation, and should:

  • aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organisational standards occurring in the organisation

  • promote a culture of compliance within the organisation

  • assist the organisation in remaining or becoming a good corporate citizen

I have no doubt that you will have noticed one or two important principles that have been included in the Standard. The first is that the Standard includes a reference to general “organisational standards”. This means that the full gamut of risk management policies need to be implemented and monitored once they have been defined by the board. In addition to this, there is the fascinating reference to “good corporate citizenship” – a concept that, having been linked to compliance, must become closely embedded in the thinking of boards and management.

Although I realise that internal auditors are not necessarily responsible for an organisation's full compliance program, it may be worth considering how the Australian Standard defines the role of the person who does take on this responsibility:

The senior executive responsible for overseeing compliance should have direct access to the Chief Executive Officer and any audit or compliance committee.

The senior executive, or where employed, compliance manager should:

  • have high status, authority, recognition and support within the organisation;

  • have a record of integrity and commitment to compliance;

  • have access to expert knowledge of relevant laws, regulations, codes and organisational standards;

  • have good communication skills;

  • have access to staff or advisors who are able to translate legal and other compliance obligations into everyday organisational procedures;

  • be responsible for ensuring that practices and documentation comply with the law, including ensuring that such obligations are understood and observed by relevant managers and staff;

  • have access to all levels of the organisation, as necessary, to ensure compliance;

  • be able to consider and advise on compliance problems encountered by staff;

  • be both a formal and informal reference point on compliance matters;

  • be responsible for the overall design, consistency and integrity of the system; and

  • have access to senior decision-makers and participate in the organisation's senior decision-making processes

I realise that some internal auditors will not see their traditional role in quite these terms. Instead, they may veer towards a more passive 'reporting' role. However, having observed the way things are going, I feel fairly certain that the trend is towards a situation in which the role of the compliance manager and internal auditor will be, in all practical respects, interchangeable.

This will be no bad thing as it will help to make evident, to the management community in general, the fact that those working in the field of internal audit can play a vital role in adding value to the business. For example, professionals operating in this role have been known to expand their responsibilities to include those of: managing and monitoring the process of obtaining 'quality' certification (for example, ISO9000 and ISO14000), monitoring customer satisfaction and so on.

Having said this, there is no denying the fact that internal auditors are often placed in a very difficult position – especially when they are seen as the bearers of bad news about the performance of line management. The reality is that only the most flinty of souls can be unaffected by the prospect of having to identify the failures of their colleagues. As such, internal auditors can face a particularly poignant kind of conflict of interest (or perhaps, more accurately, conflict of duties).

Of course, the potential for this kind of conflict is virtually written into the job description. However, the conflicts can often manifest themselves in especially challenging forms. Let me give a few examples:

  • Imagine that you have discovered a breach in the lending policies of your bank. The trouble is that the recipient of the funds is a company that provides most of the employment in a district where the majority of your family lives. What would you do? What should you do?

  • Suppose that you uncover a transaction that has been structured in such a way as to defer profits until the next financial year. The manager asks you to do nothing as economic indicators suggest that the funds will be needed to support employment, within the bank, in the next financial year. What would you do? What should you do?

  • What if you uncover a breach of procedures that, if reported, will lead to a colleague having her bonus cut. Your colleague is supporting her aged parents and she pleads with you to ‘turn a blind eye’. What would you do? What should you do?

Questions such as these are not easily answered. Yet, the internal auditor has no option but to face them squarely. How might this be done?


One approach is to recognise that internal auditors are bound by the very general obligations that attach to any person who claims to be a ‘professional’. The term is one loosely applied to many occupational groups, these days. Furthermore, I know that the very idea of the professions has been receiving quite a battering from people who no longer believe that members of the professions honour the kind of commitments that I wish to outline below. Instead, a growing body of opinion thinks that members of the profession hide behind a noble sense of their calling while, at the same time, ruthlessly exploiting every opportunity to advance their self-interest. I must confess that I fall into a more 'conservative' camp that still believes that the ideas of professional service are distinctive (and problematic) but worth preserving (even if only as an aspiration) all the same.

One particularly influential definition of a profession was offered by Roscoe Pound. It goes as follows:

"The term refers to a group ... pursuing a learned art as a common calling in the spirit of public service – no less a public service because it may incidentally be a means to livelihood. Pursuit of the learned art in the spirit of public service is the primary purpose."

The point should be made that to act "in the spirit of public service" at least implies that one will seek to promote or preserve the public interest. A person who claimed to move in a spirit of public service while harming the public interest could be open to the charge of insincerity or of failing to comprehend what his or her professional commitments really amounted to in practice.

In August of 1993, the Australian Council of Professions issued a discussion paper, Professional Services, Responsibility and Competition Policy. Significantly, a press release about this paper was issued under the title, In The Public Interest. Both the paper and the release sought to distinguish a profession from "more commercially minded occupational associations". As opposed to others, professional practitioners:

"... must at all times place the responsibility for the welfare, health and safety of the community before their responsibility to the profession, to sectional or private interests, or to other members of the profession."

If the idea of a profession is to have any significance, then it must hinge on this notion that professionals make a bargain with society in which they promise conscientiously to serve the public interest – even if to do so may, at times, be at their own expense. That is, to be a professional is to face the very real prospect of having to act with moral courage.

This may be especially important in the case of those who help to maintain the integrity of financial institutions. I say this because so many ordinary people, indeed the community as a whole, depend on the banks and other financial institutions being sound – both above and below the waterline. As we all know, the failure of financial institutions can have devastating effects on the lives of people.

While not wanting to suggest that internal auditors are required to be especially ethical or courageous they do have the advantage of belonging to a professional association that can support them, if it is minded to do so. Individuals acting alone may feel unable to raise their concerns for a variety of reasons which might include: a lack of access to relevant information, concern about continued employment prospects and so on. Internal auditors enjoy peer support, which should be directed to helping them to discharge professional obligations – especially those relating to integrity, an orientation towards the truth and a commitment to the provision of independent advice.

Let me be clear, I am not suggesting that internal auditors ought to substitute their judgement for that of their employer on matters of policy. Instead, I am saying that internal auditors must not suspend their judgement in deference to those who exercise power or influence. That is, the critical assessment by internal auditors should bolster a more general tradition in which professionals provide impartial advice and service to their employer. To do so is quite consistent with a more general professional obligation to discern the difference between a client's interests and wants. This is to engage in the distinctive form of 'best practice' that informs the work of members of the professions.

Talk of 'best practice' frequently leads people to concentrate on a quasi-technical framework in which measurable standards are defined. The focus is on defining what constitutes superlative technique. But is this enough? Let me state clearly that I think it essential that people aim for technical excellence. However, to leave it at that would be to endorse the development of a lop-sided kind of practitioner who is only concerned with how best to prosecute the means to an end.

While a concern for means is important, let me suggest that the idea of 'best practice' should also encompass the development of skills, understanding and dispositions that allow for excellence in the assessment of ends. It can only be so if you accept my suggestion that internal auditors should play a vital and creative role in assisting organisations to exercise informed judgement. Informed judgement should reflect on the destination as well as the means of travelling! It is important to ensure that both means and ends can be justified. How many times have we heard statements that boil down to nothing more than a claim that 'the ends justify the means'?

It is possible that my discussion of this topic has enlarged the role of the internal auditor well beyond what many people consider to be an acceptable boundary. In doing so, I am bound to have made life rather more complicated than most would have preferred it to be. Unfortunately, it is difficult to see how the conclusions that I have reached could have been avoided. The world is a more complicated place for companies to negotiate. Many directors feel uncomfortable in this world and are ill-equipped to deal with an emerging paradigm of corporate governance that goes well beyond today's formal requirements.

This is where the internal auditor can play such an important role. Part of the task is to help the board have a proper appreciation of the internal and external risks that need to be managed. However, beyond this is an even more fundamental task – namely, to act as the eyes and the ears of the board. Or, perhaps, a better analogy might be that the internal auditor should act as a lookout, sitting atop the crows' nest, keeping an eye out for trouble.

I suppose that a number of you will have seen James Cameron's film epic Titanic. It offers a powerful metaphor for contemporary life. For all the power of the technology that powered the doomed ship, she was still consigned to the deep by an iceberg. Titanic is also a serviceable simile for what happened at a host of institutions like the doomed bank, Tricontinental. Indeed, the parallels are eerily similar. In both cases, the captain was blind to the risks, in both cases there was inadequate supervision, in both cases the risk of harm to the most vulnerable people were disproportionately high when compared to those better off. In both cases, the bulk of the risk lay below the water line – waiting to strike. In both cases, the fatal risk could have been avoided.

A good look out, in constant communication with those in charge of the helm, could never hope to save a Titanic; but he or she could certainly hope to prevent the harm from occurring in the first place. Internal auditors are in a position to play an equivalent role.


I want to conclude by stressing the need for a practical response to the issues outlined above. In the context of this paper, this means drawing attention to some specific aspects of the corporate governance equation. For example, the preceding discussion begins to throw a somewhat different light on issues such as; the need for non-executive directors, the role of audit committees and so on. Some see initiatives in corporate governance as nothing more than a fashionable response to the problems of the past.

However, if the general welfare of stakeholders is dependent on the company adopting best practice in corporate governance (as more broadly construed), then it is essential that boards set an adequate example and establish institutional structures that support the desired outcome.

Most of the points outlined above relate to prudential reasons for encouraging best practice in corporate governance. There are also ethical reasons which bring us back to the central theme of this paper. Corporate governance is about setting a framework within which extraordinarily complex relationships unfold on a daily basis. Business is a human institution. Whether human nature is set in stone or not is open to debate. My own view is that the good within people can be liberated within supportive social environments. If we want a better world, then it is incumbent on directors to exercise positive influence over those parts of society that they control. In turn, directors ultimately depend on the existence of a trusted source of 'feed-back' that lets them know that their policies are having the desired effect. Internal auditors have the capacity to provide this information – not as a way of 'second guessing' or contradicting management – but as a form of assurance and reassurance for the directors who bear ultimate responsibility for the conduct of the company.

There is a profoundly moral aspect to corporate governance. Not only does a board have to decide the broad parameters within which a company will operate, it also has to decide how the company will be. That is, the board has a vital role to play when helping the organisation to answer the questions, “Who are we? What do we stand for?” Having helped to define the answers to these key questions, there is an essential role to be played by professionals involved in the internal audit functions of a company.

I, for one, have a broad expectation of internal auditors. That is, I do not see their role as being confined to an examination of systems and procedures limited to financial issues. Good governance is a creative act. It is therefore fraught with risk and difficulty. Internal auditors help to manage that risk – not by applying strict controls alone. Rather, they should be available to offer wise counsel and assistance to their colleagues.

Dr Simon Longstaff AO is Executive Director of St James Ethics Centre.